Platform
other
Component
ox-dovecot-pro
Fixed in
2.3.1
CVE-2026-27855 describes an OTP replay attack vulnerability affecting OX Dovecot Pro. Specifically, if the authentication cache is enabled and the username is altered in the passdb, OTP credentials can be cached, allowing an attacker to reuse observed OTP exchanges to log in as the user. This issue affects OX Dovecot Pro versions 0–2.3.0. To mitigate this, switch to the SCRAM protocol or ensure communications are secured, and consider using OAUTH2 or SCRAM.
CVE-2026-27855 affects Dovecot Pro, exposing a replay attack vulnerability in OTP (One-Time Password) authentication. This vulnerability arises when authentication cache is enabled, and the username is altered in the passdb. Under these conditions, OTP credentials can be cached, allowing a previously valid OTP response to be reused. An attacker able to observe an OTP exchange could potentially log in as the affected user. The severity of this vulnerability is rated at 6.8 according to CVSS.
Exploitation of this vulnerability requires an attacker to be able to observe the OTP exchange process and have authentication cache enabled, along with username modification in the passdb. The absence of publicly known exploits does not diminish the importance of applying the recommended mitigations, as exploit creation is a constant possibility. The vulnerability is exacerbated if communications are not encrypted, facilitating OTP exchange interception.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
To mitigate this risk, it is strongly recommended to use the SCRAM protocol instead of OTP, especially if authentication occurs over an insecure connection. Securing communications via encryption (TLS/SSL) is crucial. Alternatively, consider migrating to more secure authentication methods such as OAuth2 or SCRAM. Updating to the latest version of Dovecot Pro, once available, is essential to address this vulnerability. In the meantime, monitoring authentication logs can help detect suspicious activity.
Update to a version later than 2.3.0. Alternatively, secure communications using SCRAM, OAUTH2, or secure connections. Disable authentication cache if updating is not possible.
Vulnerability analysis and critical alerts directly to your inbox.
OTP (One-Time Password) is a single-use security code. The vulnerability lies in the fact that, under certain conditions, OTP responses can be cached and reused, allowing an attacker to log in as the user.
If you are using Dovecot Pro with authentication cache enabled and have modified usernames in the passdb, you are likely affected.
Until an update is released, the best solution is to disable the authentication cache or use the SCRAM protocol over secure connections.
CVSS 6.8 indicates a medium to high severity vulnerability that requires attention and mitigation.
Consult the official Dovecot Pro documentation and industry security sources for updates and additional details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.